FEATURE ARTICLES
SMART BUILDINGS: A CYBERSECURITY LIABILITY Faisal Hamood, P.Eng. M.Eng. & Michael Osborne, P.Eng. Australians are concerned about the ability of public and private institutions to adequately protect their data, particularly after the high-profile NT Health data breach in 20211 and the devastation brought by a ransomware attack on regional hospitals in Victoria in 2019.2 In the hospitality industry, a breach of data at Marriott exposed the privacy of nearly half a billion guests who stayed at the hotel chain between 2014 and 2018.3 It is crucial for organizations to be proactive when it comes to cybersecurity. Security breaches are often the result of blind spots for IT and security teams. This is especially the case when organizations don’t manage their own assets or are not aware of their existence. Internet of Things (IoT) devices are a prime example of such assets. Building owners and operators rely on many types of IoT devices, such as refrigeration, HVAC, and lighting systems, to diagnose faults, collect data, and remotely operate and service equipment. Each of these systems offers a tempting open pathway for an attacker. In 2017 a casino’s high-roller database was exposed to hackers who infiltrated the network through a smart thermostat and pulled data through the network up to the cloud.4 It is more important than ever for building owners and designers to map their smart buildings’ attack surface, expose that shadow risk, and eliminate all attack vectors. Smart buildings collect data from equipment and sensors and analyze them to improve operational efficiency, reduce waste, and ensure occupant comfort—all worthy efforts. An example of the many government and non-profit efforts to improve building energy efficiency and environmental impact is the National Australian Built Environment Rating System (NABERS), part of a broader goal to make commercial buildings energy efficient and reduce greenhouse gas emissions.5 But as smart buildings and IoT devices
gain momentum in the market, unless we carefully consider their security, we risk exposing our data and privacy to malicious actors.
BACnet protocol Smart buildings need smart devices to deliver the information needed for energy analytics, fault detection, and remote operations management. These devices communicate over Wi-Fi, Ethernet, Bluetooth, EIA-485, and a variety of other networks. Smart devices also provide information to direct digital control (DDC) controllers for status, temperature, CO2 levels, and various other parameters. DDC controllers operate everything from large air handlers to small light sensors using a centralized, network-oriented approach and open protocol languages such as BACnet, Modbus, and KNX.
43
